Giters

slackhq / nebula

A scalable overlay networking tool with a focus on performance, simplicity and security

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Using nebula for site-to-site VPN over multiple WLAN links: is it anti-pattern?

hth2 opened this issue · comments

commented

I would like to setup a nebula network as in this diagram:

image

nebula1 & nebula2: are gateways for home network, have unreliable connection to Internet
nebula10: gateway for a private network in the cloud, has reliable connection

my plan is to setup routing for hostA to route traffic to net 192.168.2.0/24 over nebula3, hoping that if nebula1 or nebula2 is disconnected from Internet (only one at a time), the connection from hostA to hostB still works.

Does this seem sensible, or a no-go?

Update: in this diagram nebula3 seems not necessary, however my home net is slightly more complex and hostA is not in the same network as nebula1 & nebula2.

commented

Hi @hth2 -

It is possible to expose your private cloud subnet using the unsafe_routes feature of Nebula: https://nebula.defined.net/docs/guides/unsafe_routes/

It is so-named because, as you guessed, it's an anti-pattern in situations where you are able to install Nebula directly on the nodes you'd like to talk to. This is because one of Nebula's primary features is its certificate-based firewall. When using unsafe_routes, it's not currently possible to limit hosts on the subnet to specific groups:

Logical evaluation is roughly: port AND proto AND (ca_sha OR ca_name) AND (host OR group OR groups OR cidr OR local_cidr).

Note that while local_cidr specifies a destination IP in the unsafe_routes subnet, groups is OR'd against it. PR #1071 may address this.

Another concern with using this feature is that all of your traffic will be funneled through the router box, so it will act as a bottleneck. In contrast, normal Nebula connections are peer-to-peer.

If possible, we recommend installing Nebula on each host in your cloud network. For services such as RDS, we suggest using unsafe_routesto gain access.

One final approach you can take, if you have only one or two services you need access to, but are unable to install Nebula on them directly, is to create a dedicated host on the subnet acting as a port forwarder to the internal service. Then you can protect this host with the regular Nebula firewall.